Bug#754924: gnome-shell: Get Gnome3 Failed screen due to missing bluetooth library

[Matthew Grant]

Source: gnome-shell
Severity: grave
Justification: renders package unusable

Dear Maintainer,


Used aptitude to upgrade to Gnome 3.12

Rebooted system gdm3 did not work, just gave black X11 screen

Switched to lightdm, logging into destop gave Gnome Failed unhappy face
screen.

Checked /var/log/syslog, gnome-session had logged:

Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while
loading shared libraries: libgnome-bluetooth-applet.so.0: cannot open shared
obje
ct file: No such file or directory
Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App
'gnome-shell.desktop' exited with code 127
Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop'
exited with code 127
Jul 16 12:35:01 moriah gnome-session[6411]: /usr/bin/gnome-shell: error while
loading shared libraries: libgnome-bluetooth-applet.so.0: cannot open shared
object file: No such file or directory
Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App
'gnome-shell.desktop' exited with code 127
Jul 16 12:35:01 moriah gnome-session[6411]: gnome-session[6411]: WARNING: App
'gnome-shell.desktop' respawning too quickly
Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop'
exited with code 127
Jul 16 12:35:01 moriah gnome-session[6411]: WARNING: App 'gnome-shell.desktop'
respawning too quickly
Jul 16 12:35:01 moriah gnome-session[6411]: Unrecoverable failure in required
component gnome-shell.desktop




-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#695192: bind9: CVE-2012-5688

[Matthew Grant]

Why does the Wheezy release team have its nose so stuck up about a minor
upstream version number?

9.8.4-P1 IS ISC's official bug fixed release of the 9.8.x source tree ,
INCLUDING 9.8.1*

Don't drive the security maintainers into loops about unsupported code in
an upcoming stable release!

Sheesh, some time dogged adherence to policy is NOT achieving our main end
results.

Cheers,

Matthew Grant

On Thu, Dec 13, 2012 at 6:52 AM, Moritz Muehlenhoff j...@inutil.org wrote:

 On Wed, Dec 05, 2012 at 05:25:36AM -0700, LaMont Jones wrote:
  On Wed, Dec 05, 2012 at 09:31:00AM +0100, Moritz Muehlenhoff wrote:
   Package: bind9
   Severity: grave
   Tags: security
   Justification: user security hole
   Please see https://kb.isc.org/article/AA-00828
   Stable is not affected. This needs to be fixed through
 testing-proposed-updates,
   since the testing and unstable packages have diverged and won't be
 updated that
   late in the freeze.
 
  I've been holding unstable at 9.8 in the hope that it might make it into
  testing.  ISC has quit supporting 9.8.1, I'd like to as well.
 
  I'll look into the backport soon, if the security team doesn't beat me
 to it.

 LaMont, can you upload a version targeted at testing-proposed-updates
 based on
 1:9.8.1.dfsg.P1-4.4 ?

 Cheers,
 Moritz

Bug#690142: marked as done (remote named DoS on recursor (CVE-2012-5166))

[Matthew Grant]

Hi THere!

Just trying to avoid people wasting effort on bind9 NMU work.

I am working with LaMont Jones on an update for wheezy to bind9 9.8.4,
rebased on the ISC 9.8.4 code, which will definitely close #690569,
#690142, and may be #689755.  (The rest of the Important bugs appear to
be with old versions of bind9 before 9.7.x.)

The main reason is to reduce the work required for security patching and
to mostly eliminate the risk of introducing new bugs with the fixes.

It has been found that the data structures between ISC bind9 9.8.1 and
9.8.4 have markedly changed due to essential protocol fixes and security
fixes.  Applying patches is no longer that simple a matter, with a
considerable risk of introducing new bugs.

I originally adapted up the patch for bind9 9.8.1.dfsg.P1-4.2 , and was
proceeding to fix  #690569 DNS wildcards fail to resolve with DNSsec
enabled when I found that there was a serious risk of introducing new
new bugs, and desisted from NMUing bind9. (I was a professional C router
programmer)

There is also the matter of #689755 bind9: memory leak in named.  I am
currently working on an ISP DNS project based on wheezy, and have
observed some suspicious behaviour in this regard.  On reading the ISC
CHANGES file for 9.8.4, there are fixes that could be related to this
sort of behavior.

This is a notice that the bind9 9.8.1.dfsg.P1-4.x package might be
replaced, after going through the appropriate channels (Debian Release
Team). LaMont will be uploading our work to wheezy-proposed shortly.

A repository of work done so far is up at
http://anonscm.debian.org/git/collab-maint/bind9.git/

Thank you very much for your patience.

Best Regards,

Matthew Grant

On 29/10/12 11:21, Debian Bug Tracking System wrote:
 Your message dated Sun, 28 Oct 2012 23:16:32 +0100
 with message-id 20121028221632.ga21...@spike.0x539.de
 and subject line fixed in 9.8.1.dfsg.P1-4.3
 has caused the Debian Bug report #690142,
 regarding remote named DoS on recursor (CVE-2012-5166)
 to be marked as done.
 
 This means that you claim that the problem has been dealt with.
 If this is not the case it is now your responsibility to reopen the
 Bug report if necessary, and/or fix the problem forthwith.
 
 (NB: If you are a system administrator and have no idea what this
 message is talking about, this may indicate a serious mail system
 misconfiguration somewhere. Please contact ow...@bugs.debian.org
 immediately.)
 
 




signature.asc
Description: OpenPGP digital signature

Bug#690410: Puredata 0.43.2-4 crashing due to _FORTIFY_SOURCE with large patch

[Matthew Grant]

Package: puredata
Followup-For: Bug #690410

Recompiled puredata with the following 2 lines added to the top of 
debian/rules:

# Stop problems with puredata crashing due to buffer space issues?
export DEB_BUILD_MAINT_OPTIONS=hardening=+format,-fortify,+stackprotector,+relro

This turns off _FORTIFY_SOURCE.  Puredata works with out problems with the 
PD 'patches' in my project.

If you look at the back trace in the stack dump in the original bau report,
it crashed in:

pd(pd_typedmess+0x45b)[0x456fab]
pd(outlet_anything+0x4a)[0x458eca]
pd(pd_typedmess+0x1db)[0x456d2b]
pd(binbuf_eval+0x90b)[0x4600fb]
pd(outlet_list+0x4a)[0x458e3a]
pd[0x455b5c]
pd(outlet_float+0x3f)[0x458d0f]
pd(outlet_bang+0x29)[0x458be9]
pd(sched_tick+0x77)[0x463047]
pd(m_mainloop+0x1e9)[0x463319]

bang, float, list are basic puredata objects.  binbuf_eval() is also one of the 
functions.  It looks like puredata uses functions like strcat(), strcpy() in 
non-conventional ways with some kind of buffer.  

Turning off _FORTIFY_SOURCE looks like it needs to be done to ensure 100%
functionality.  Just patching one or two instances of the functions may not get
all the problem points fixed as the puredata algorithms probably assume that 
the functions will copy/concatenate indefinitely throughout the whole code 
base.

Talk to upstream before turning on _FORTIFY_SOURCE please.

Regards,

Matthew Grant



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.23 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages puredata depends on:
ii  puredata-core   0.43.2-5~0mag1
ii  puredata-dev0.43.2-5~0mag1
ii  puredata-doc0.43.2-5~0mag1
ii  puredata-extra  0.43.2-5~0mag1
ii  puredata-gui0.43.2-5~0mag1
ii  puredata-utils  0.43.2-5~0mag1

Versions of packages puredata recommends:
ii  gem  3:0.93.3-6~0mag0

Versions of packages puredata suggests:
ii  pd-aubio   0.3.2-4.2+b1
ii  pd-csound  1:5.17.11~dfsg-2
ii  pd-pdp 1:0.12.5-2
ii  pd-zexy2.2.5-1

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#690142: remote named DoS on recursor (CVE-2012-5166)

[Matthew Grant]

Package: bind9
Version: 1:9.8.1.dfsg.P1-4.2
Followup-For: Bug #690142

Dear Maintainer,

Attaching a patch for this version of Debian bind9.  NMUing in 2 days with
1:9.8.1.dfsg.P1-4.3


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- /tmp/bind9-9.8.1.dfsg.P1/bin/named/query.c	2011-11-16 22:32:08.0 +1300
+++ bind9-9.8.1.dfsg.P1/bin/named/query.c	2012-10-15 13:48:55.572735596 +1300
@@ -1137,13 +1137,6 @@
 		mname = NULL;
 	}
 
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
 	*mnamep = mname;
 
 	CTRACE(query_isduplicate: false: done);
@@ -1341,6 +1334,7 @@
 	if (dns_rdataset_isassociated(rdataset) 
 	!query_isduplicate(client, fname, type, mname)) {
 		if (mname != NULL) {
+			INSIST(mname != fname);
 			query_releasename(client, fname);
 			fname = mname;
 		} else
@@ -1401,11 +1395,13 @@
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 	   dns_rdatatype_a, mname)) {
-if (mname != NULL) {
-	query_releasename(client, fname);
-	fname = mname;
-} else
-	need_addname = ISC_TRUE;
+if (mname != fname) {
+	if (mname != NULL) {
+		query_releasename(client, fname);
+		fname = mname;
+	} else
+		need_addname = ISC_TRUE;
+}
 ISC_LIST_APPEND(fname-list, rdataset, link);
 added_something = ISC_TRUE;
 if (sigrdataset != NULL 
@@ -1444,11 +1440,13 @@
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 	   dns_rdatatype_, mname)) {
-if (mname != NULL) {
-	query_releasename(client, fname);
-	fname = mname;
-} else
-	need_addname = ISC_TRUE;
+if (mname != fname) {
+	if (mname != NULL) {
+		query_releasename(client, fname);
+		fname = mname;
+	} else
+		need_addname = ISC_TRUE;
+}
 ISC_LIST_APPEND(fname-list, rdataset, link);
 added_something = ISC_TRUE;
 if (sigrdataset != NULL 
@@ -1960,22 +1958,24 @@
 		crdataset-type == dns_rdatatype_) {
 			if (!query_isduplicate(client, fname, crdataset-type,
 	   mname)) {
-if (mname != NULL) {
-	/*
-	 * A different type of this name is
-	 * already stored in the additional
-	 * section.  We'll reuse the name.
-	 * Note that this should happen at most
-	 * once.  Otherwise, fname-link could
-	 * leak below.
-	 */
-	INSIST(mname0 == NULL);
-
-	query_releasename(client, fname);
-	fname = mname;
-	mname0 = mname;
-} else
-	need_addname = ISC_TRUE;
+if (mname != fname) {
+	if (mname != NULL) {
+		/*
+		 * A different type of this name is
+		 * already stored in the additional
+		 * section.  We'll reuse the name.
+		 * Note that this should happen at most
+		 * once.  Otherwise, fname-link could
+		 * leak below.
+		 */
+		INSIST(mname0 == NULL);
+
+		query_releasename(client, fname);
+		fname = mname;
+		mname0 = mname;
+	} else
+		need_addname = ISC_TRUE;
+}
 ISC_LIST_UNLINK(cfname.list, crdataset, link);
 ISC_LIST_APPEND(fname-list, crdataset, link);
 added_something = ISC_TRUE;

Bug#690410: Puredata 0.43.2-4 crashing due to _FORTIFY_SOURCE with large patch

[Matthew Grant]

Package: puredata
Version: 0.43.2-4
Severity: grave

I have a large puerdata patch using GEM that was working early on last year.

At the moment it is crashing on start with calls to __fortify_fail() in libc.

There are two pds running, one handling sound and wiimote input, and a slave
doing GEM display work.  They communicate over a TCP socket.

Pure data with the _FORTIFY_SOURCE=2 is not usable for any serious work, 
destroying the purpose of the porting and packaing to Debian  
The same problems also show up in puredata plugins/libraries with this turned
on as well.  The one that blew up in the same way was gem-plugin-magick

I know that this is security hardening, and that buffer overflows are bad in
any application, as they tend to go and corrupt the running application.  

But puredata is an interpreted langauge progam used by artists typically on 
closed off networks behind a firewall/router. It is hard enough to get going
properly with out this unneeded security stuff being turned on. Please compile
pruedata with _FORTIFY_SOURCE=0 for the whole puredata module stack and 
dependencies until the causes of this are fixed upstream.

I am going to try the puredata package compiled with _FORTIFY_SOURCE=0, and
see if I can get my valuable project going again.

BTW, I am a Debian Developer. 

Cheers,

Matthew Grant

PS: Stack dump of setup in line below.

$ cat antigua.sh 
#!/bin/bash

pd -noaudio -nomidi -lib Gem -nogui boatshed.pd 
pd antigua.pd
# Kill 1st pd on exit
kill %1

$ ./antigua.sh
sys_nmidiin 0, nmidiindev 1


@ the zexy external  2.2.5 @
@ (l)  forum::für::umläute @
@   iem   @  kug   @
@  compiled:  Nov 22 2011  @
@ send me a 'help' message @
priority 6 scheduling enabled.
priority 8 scheduling enabled.


warning: class 'abs~' overwritten; old one renamed 'abs~_aliased'
matchbox: OSC-pattern matching code (c) Matt Wright, CNMAT
warning: class 'wrap' overwritten; old one renamed 'wrap_aliased'
GEM: Graphics Environment for Multimedia
GEM: ver: 0.93.3 
GEM: compiled: Jun 11 2012
GEM: maintained by IOhannes m zmoelnig
GEM: Authors :  Mark Danks (original version)
GEM:Chris Clepper
GEM:Cyrille Henry
GEM:IOhannes m zmoelnig
GEM: with help by Guenter Geiger, Daniel Heckenberg, James Tittle, 
Hans-Christoph Steiner, et al.
GEM: found a bug? miss a feature? please report it:
GEM:homepage http://gem.iem.at/
GEM:bug-tracker http://sourceforge.net/projects/pd-gem/
GEM:mailing-list http://lists.puredata.info/listinfo/gem-dev/
open: /etc/pd/gem.conf: No such file or directory
open: /home/grantma/.pd/gem.conf: No such file or directory
open: ./gem.conf: No such file or directory
GEM: compiled for SIMD architecture: SSE2 MMX 
GEM: using SSE2 optimization
load plugins 'image' in '/usr/lib/pd/extra/Gem/'
pattern : /usr/lib/pd/extra/Gem/gem_image*.so
GEM: Only using 8 color bits
GEM: Direct Rendering enabled!
GEM: GLEW version 1.7.0
GEM: Start rendering
error: [pix_image]: failed to load image 
'/home/grantma/Desktop/Situational_Choreo_Project/pd/boat-shed-end.jpg'
verbose(4): ... you might be able to track this down from the Find menu.
priority 6 scheduling enabled.
priority 8 scheduling enabled.
*** buffer overflow detected ***: pd terminated
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f75d3577f37]
/lib/x86_64-linux-gnu/libc.so.6(+0xebdf0)[0x7f75d3576df0]
pd[0x49b5c0]
pd(pd_typedmess+0x45b)[0x456fab]
pd(outlet_anything+0x4a)[0x458eca]
pd(pd_typedmess+0x1db)[0x456d2b]
pd(binbuf_eval+0x90b)[0x4600fb]
pd(outlet_list+0x4a)[0x458e3a]
pd[0x455b5c]
pd(outlet_float+0x3f)[0x458d0f]
pd(outlet_bang+0x29)[0x458be9]
pd(sched_tick+0x77)[0x463047]
pd(m_mainloop+0x1e9)[0x463319]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7f75d34a9ead]
pd[0x415161]
=== Memory map: 
0040-004e7000 r-xp  fe:00 661348 
/usr/bin/puredata
006e6000-006e7000 r--p 000e6000 fe:00 661348 
/usr/bin/puredata
006e7000-006e9000 rw-p 000e7000 fe:00 661348 
/usr/bin/puredata
006e9000-006f8000 rw-p  00:00 0 
017e5000-018cc000 rw-p  00:00 0  [heap]
7f75c8fa7000-7f75c8fa8000 r-xp  fe:00 924698 
/usr/lib/pd-extended/extra/creb/ead~.pd_linux
7f75c8fa8000-7f75c91a8000 ---p 1000 fe:00 924698 
/usr/lib/pd-extended/extra/creb/ead~.pd_linux
7f75c91a8000-7f75c91a9000 r--p 1000 fe:00 924698 
/usr/lib/pd-extended/extra/creb/ead~.pd_linux
7f75c91a9000-7f75c91aa000 rw-p 2000 fe:00 924698 
/usr/lib/pd-extended/extra/creb/ead~.pd_linux
7f75c91aa000-7f75c91ab000 r-xp  fe:00 927354 
/usr/lib/pd/extra/ggee/bandpass.pd_linux
7f75c91ab000-7f75c93ab000 ---p 1000 fe:00 927354

Bug#681641: netscript-2.4: Missing quotes in if.conf for brg_iface() resulted in seriously misconfigured network

[Matthew Grant]

Package: netscript-2.4
Version: 5.2.11
Severity: serious
Tags: patch

Missing quotes when setting up bridge resulted in vlaned  eth0 interface being
on bridge brg0 with its vlan1 vlan interface.  vlan2 was connected to internet.

vlan1 traffic was slow, and connectivity came and went.  This happened when
IPv6 was explicitly disabled for eth0, and etho was not configured onto a
bridge.  It is a corner case configuration with a serious result iin network
not functioning, and in the case of this system involved, leaking internal
traffic to the Internet.  Network configuration was not such that a system on
Internet could connect internally.

Quotes put on 3rd and 4th arguments to brg_iface interface up in if.conf
fixes this siuation.



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages netscript-2.4 depends on:
ii  bash4.2-2
ii  bridge-utils1.5-4
ii  iproute 20120521-3
ii  iptables1.4.14-2
ii  isc-dhcp-client [dhcp3-client]  4.2.2.dfsg.1-5
ii  netbase 5.0

Versions of packages netscript-2.4 recommends:
ii  quagga  0.99.21-3

Versions of packages netscript-2.4 suggests:
ii  dnsmasq2.62-3
ii  quagga 0.99.21-3
pn  resolvconf none
pn  whereami   none
pn  wicd   none
pn  wpasupplicant  none

-- Configuration Files:
/etc/netscript/if.conf changed:
SED_IFSTR='s/\([A-Za-z]*\)[0-9]*$/\1/'
SED_IPV4STR='s/^.*inet \([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+[/0-9]\+\) .*$/\1/'
SED_IPV6STR='s/^.*inet6 \([0-9a-f]\+\:.*\:[0-9a-f]\+[/0-9]\+\) .*$/\1/'
SED_IPV6ADDR=sed -e 's/:0\+\([0-9a-fA-F]\+\)/:\1/g' | sed -e 
's/^0\+\([0-9a-fA-F]\+\)/\1/'| sed -e 's/\(:0\)\+:\(:0\)*\|\(:0\)*:\(:0\)\+/:/'
SED_IPV4ADDR=sed -e 's/\.0\+\([0-9a-fA-F]\+\)/.\1/g' | sed -e 
's/^0\+\([0-9a-fA-F]\+\)/\1/'
if_addr_start () {
local IPADDR2 ADDR ADDR2
local ADDRS
local ANS
local OIFS
local IFACE=$1
# Glue stuff
if [ -n $MASKLEN ]; then
IPADDR=${IPADDR}/${MASKLEN}
fi
if [ -n $PTPADDR ]; then
IPADDR=${IPADDR}_peer_${PTPADDR}
fi
if [ -n $BROADCAST ]; then
IPADDR=${IPADDR}_brd_${BROADCAST}
fi
if [ -n $IP_EXTRA_ADDRS ]; then
IPADDR=$IPADDR $IP_EXTRA_ADDRS
fi
# Take care of leading zeroes in supplied addresses
for ADDR in $IPADDR; do
if echo $ADDR | grep -q ':'; then
#IPv6
ADDR2=`echo $ADDR | eval $SED_IPV6ADDR` 
IPADDR2=$IPADDR2 $ADDR2
else
#IPv4
ADDR2=`echo $ADDR | eval $SED_IPV4ADDR`
IPADDR2=$IPADDR2 $ADDR2
fi
done
IPADDR=$IPADDR2
# Set up link MTU etc
ip link set $1 $IFCFG_MULTICAST $IFCFG_MTU

# Set up IPv6 Interface sysctl here before interface goes up
ifv6_setproc $1 accept_redirects $IPV6_ACCEPT_REDIRECTS
ifv6_setproc $1 accept_ra $IPV6_ACCEPT_RA
ifv6_setproc $1 accept_ra_pinfo $IPV6_ACCEPT_RA_PINFO
ifv6_setproc $1 accept_ra_rt_info_max_plen 
$IPV6_ACCEPT_RA_RT_INFO_MAX_PLEN
ifv6_setproc $1 disable_ipv6 $IPV6_DISABLE
ifv6_setproc $1 forwarding $IPV6_FWDING
ifv6_setproc $1 router_solicitations $IPV6_ROUTER_SOLICITATIONS
ifv6_setproc $1 use_tempaddr $IPV6_PRIVACY

# Bring the interface up
ip link set dev $1 up
# This one has to be set after interface up
ifv6_setproc $1 mtu $IPV6_MTU
# Set up the addresses on the interface

ADDRS=`ip addr show dev $IFACE |  grep '^.*inet[ 46]' \
| sed -e $SED_IPV4STR | sed -e $SED_IPV6STR`
for ADDR in $IPADDR; do
for ADDR2 in $ADDRS; do
ADDR2=`echo $ADDR2 | sed -e 's/\/32\|\/128//'`
ANS=${ADDR#$ADDR2}
if [ $ANS != $ADDR ]; then
continue 2
fi
done
OIFS=$IFS
IFS=${IFS}_
ip addr add $ADDR dev $IFACE
IFS=$OIFS
done

# Strip out addresses that should not be there
for ADDR in $ADDRS; do
# Don't delete IPv6 link local addresses
if echo $ADDR | grep -q -i '^fe[89ab]'; then
continue
fi
ANS=`echo $IPADDR | grep $ADDR`
if [ -z $ANS ]; then
ip addr del $ADDR dev $IFACE

Bug#679828: libc6: No easy way of enabling DNSSEC validation aka RES_USE_DNSSEC

[Matthew Grant]

Package: libc6
Version: 2.13-34
Severity: Serious
Tags: security

Hi!

I am submitting this report as there seems to be no easy way to get
DNSSEC validation happening for all DNS lookups.  This is a litmus test
to make sure we cover this matter, or see if we have an easy procedure
in wheezy to enable client DNSSEC validation.

With the DNS root zone now signed, and .org and .net, and many soon to
be done country specific TLDs, there does not appear to be any easy way
of taking advantage of this in wheezy or sid.

From my investigations this can only be enabled by recompiling each bit
of software to set the RES_USE_DNSSEC flag in _res.options, as well as
RES_USE_EDNS0. (Please see racoon bug #679483).  The enablement method
is from openssh 6.0p1, openbsd-compat/getrrsetbyname.c 

Please create a resolv.conf flag so that RES_USE_DNSSEC is available
to the systems administrator, and maybe a debconf screen to select it.

This is about proactively avoiding DNS spoofing and securing against it.

Regards,

Matthew Grant



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libc-bin  2.13-34
ii  libgcc1   1:4.7.1-2

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.44
ii  glibc-doc  2.13-34
ii  locales2.13-34

-- debconf information:
  glibc/upgrade: true
  glibc/disable-screensaver:
  glibc/restart-failed:
  glibc/restart-services:
  libraries/restart-without-asking: false



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#679481: racoon: Root network daemon compiled without _FORTIFY_SOURCE

[Matthew Grant]

Package: racoon
Version: 1:0.8.0-12
Severity: serious

Dear Maintainer,

Racoon has a history of network vulnerabilities, running as root on the host.
It is concerning that it is compiled without all hardening options employed.

debian/rules has CFLAGS -D_FORTIFY_SOURCE=0, default debian comipile flags
are for this to be set to 2.  This was apparently done to get a 0.8.0 beta
release to comile on i386/i486.  Is this 0 setting needed any more? 

The linitian warnings given are 'hardening-no-fortify-source' which indicates
the program is compiled with strcpy strcat et al, and strncpy, strncat not
being substituted.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages racoon depends on:
ii  adduser3.113+nmu3
ii  debconf [debconf-2.0]  1.5.44
ii  ipsec-tools1:0.8.0-12
ii  libc6  2.13-33
ii  libcomerr2 1.42.4-3
ii  libgssapi-krb5-2   1.10.1+dfsg-1
ii  libk5crypto3   1.10.1+dfsg-1
ii  libkrb5-3  1.10.1+dfsg-1
ii  libldap-2.4-2  2.4.31-1
ii  libpam0g   1.1.3-7.1
ii  libssl1.0.01.0.1c-3
ii  perl   5.14.2-12

racoon recommends no packages.

racoon suggests no packages.

-- Configuration Files:
/etc/racoon/psk.txt [Errno 13] Permission denied: u'/etc/racoon/psk.txt'
/etc/racoon/racoon-tool.conf changed [not included]

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#661668: racoon: uninstallable on squeeze - something error happened while pfkey initializing

[Matthew Grant]

Hi Simon!

Which kernel are you running with? Distribution or self-compiled.
Either your xfrm kernel modules are not loading or they are not compiled.

I will have a quick look into it, with a clean squeeze install.  If it
works there (which I think it will) I will be closing the bug.

Any how, I am reducing priority of this bug to normal as 0.8.0 is
working well in testing/unstable.

Cheers,

Matthew



signature.asc
Description: OpenPGP digital signature

Bug#650310: Jackd 2 driver buggy - puredata locks up toggling DSP on/off.

[Matthew Grant]

Package: puredata
Version: 0.43.0-4
Severity: grave
Tags: upstream

Puredata locks up when toggling DSP on/off, and it opens/closes its jackd
connections.  There are also problems running jackd asynchronously, with lots
of error messages.

What makes this bug grave is that most default Debian installs are running
pulseaudio which is a required dependency for the default desktop, and most
workstations only have one audio device.  Pulseaudio is very
hard to kill off, being restarted automatically when it is not there.

Puredata works with its ALSA drivers, but you cannot use those drivers with
pulseaudio hogging the audio devices.  Jackd2 can be installed and run from
qjackctl, which is what you expect if you want performance audio, but then
puredata will not work properly due to its bug jack implementation.

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.1.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages puredata depends on:
ii  puredata-core   0.43.0-4
ii  puredata-dev0.43.0-4
ii  puredata-doc0.43.0-4
ii  puredata-extra  0.43.0-4
ii  puredata-gui0.43.0-4
ii  puredata-utils  0.43.0-4

Versions of packages puredata recommends:
ii  gem  1:0.92.3-2+b1

Versions of packages puredata suggests:
pn  pd-aubio   none
pn  pd-csound  none
pn  pd-pdp none
pn  pd-zexynone

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#643570: ipsec-tools: FTBFS(kfreebsd): symbol change

[Matthew Grant]

Hi

Setting up a Debian kfreebsd sid VM to get this sorted on the weekend.  If
you want to help, can give you ssh access.

Cheers,

Matthew

On Wed, Sep 28, 2011 at 6:28 AM, Christoph Egger christ...@debian.orgwrote:

 Package: src:ipsec-tools
 Version: 1:0.8.0-6
 Severity: serious
 Tags: sid wheezy
 User: debian-...@lists.debian.org
 Usertags: kfreebsd
 X-Debbugs-Cc: debian-...@lists.debian.org

 Hi!

 Your package failed to build on the kfreebsd-* buildds:

 --- debian/ipsec-tools.symbols (ipsec-tools_1:0.8.0-6_kfreebsd-amd64)
 +++ dpkg-gensymbolsSHAP1q   2011-09-26 19:18:51.0 +
 @@ -71,7 +71,7 @@
  pfkey_send_get@Base 0.7.3
  pfkey_send_getspi@Base 0.7.3
  pfkey_send_getspi_nat@Base 0.8.0
 - pfkey_send_migrate@Base 0.7.3
 +#MISSING: 1:0.8.0-6# pfkey_send_migrate@Base 0.7.3
  pfkey_send_promisc_toggle@Base 0.7.3
  pfkey_send_register@Base 0.7.3
  pfkey_send_spdadd2@Base 0.7.3
 make[1]: *** [override_dh_perl] Error 1
 make[1]: Leaving directory
 `/build/buildd-ipsec-tools_0.8.0-6-kfreebsd-amd64-RNpoBK/ipsec-tools-0.8.0'
 make: *** [binary-arch] Error 2

 Full build log at

 https://buildd.debian.org/status/fetch.php?pkg=ipsec-toolsarch=kfreebsd-amd64ver=1%3A0.8.0-6stamp=1317064813

 Regards

Christoph

 If you have further questions please mail debian-...@lists.debian.org

 --
 9FED 5C6C E206 B70A 5857  70CA 9655 22B9 D49A E731
 Debian Developer | Lisp Hacker | CaCert Assurer

Bug#613257: wiican: Depends on upstart

[Matthew Grant]

Sorry I have taken so long.

Just got to the point where I can work on this.  My Laptop with bluetooth
was out for the six with a crash on boot type scenario due to incorrect
kernel config...

Regards,

Matthew

On Sun, Apr 3, 2011 at 3:04 AM, Julien Cristau jcris...@debian.org wrote:

 severity 613257 serious
 kthxbye

 On Sun, Feb 13, 2011 at 11:06:03 -0800, Josh Triplett wrote:

  Package: wiican
  Version: 0.3.1-4
  Severity: normal
 
  wiican depends on upstart.  Normal packages should never depend on a
  particular init system; they just need to work with the init system the
  user has installed.  If the package provides an upstart job, I think a
  compatibility interface exists to run that job as a normal init script.
  If the package doesn't provide an upstart job, then you should just drop
  the dependency.
 
 Ack (actually, normal packages should *not* provide upstart jobs in
 Debian at this point, AFAIK).  In addition, wiiscan is being built on
 kfreebsd, but as upstart is not available there it's not installable.

 Cheers,
 Julien

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (GNU/Linux)

 iQIcBAEBCAAGBQJNlzroAAoJEDEBgAUJBeQMrF0QAPiY125ZpDLMMhz48fyYEfAx
 6ngm/lqvEwxCi+tn+CJXWM/i/wiz1ip9Y+lebl/r10lms1ZTBQac8F5006kuRwBe
 NRGVs3vgEX8OhYxC2OhSON1cP51wFHxE8aZ5caVWSDDBG5O13OxYop3qFV3xejF+
 vcpvBOVd8Rhb/oan1t5o4p08IZ90Ioo+ZyjG2QDBaP1sV1qKRMzKzpXkdt3wLpL0
 uo21Dltrd8PZY4cOIL8CLcSfRNNUWI2cOKBIO5qx2oiWc9zFNLR92pqdy6NO6MJS
 16IZiIfpYbcvs1Ndx9sj6WTxdmS2+F8RNCgBcSgJXZv3308aFzBSCJPF4e7m97gt
 yRBsMsTTV7IPrZKCYAxcUbs2Gr48XueTMTdV6l3hvSDkyZy44yeJNvDwru/Iau2v
 iEjhNPc0TaPrMQzIteMnTDGB4k+HStHjgdHYrKECl9Tnwha8w6JRc/6RzDDEqWue
 h6dEOAUhWn0DZOwM9YqGikxIKgXXgK1c3ti6jpYMXulR5LnrV3+/mHmxLVTWEhSt
 8Gbg3WZstGVmELUylFFVXrXcsrxvap7HeylraePUHMNrbqo0j+CpVqONvJP2CTkC
 iH539oOCSxc2M6vHimqkDgomi4oDbxyTsbG6Yp4R4TfhOhjiXPij0GimmL1m2KqA
 UPfJPn37dc6MnpeULg1R
 =A0t6
 -END PGP SIGNATURE-

Bug#305731: zaptel command ztcfg freezes on PowerPC causing boot failure

[Matthew Grant]

Package: zaptel
Version: 2:1.0.7-1.mag.1
Severity: critical
Tags: patch
Justification: breaks the whole system

ztcfg command freezes on zaptel module loads, halting boot process when
hotplug does its boot time stuff.

Same old Makefile/compiler flags problem as before - you forgot to put the 
double quotes around the arguments to grep!!!

Basically as same for fix for asterisk on PPC going potty when someone hangs
up on the voicenmail!

Matthew Grant

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.11-pmac-2.6
Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1)

Versions of packages zaptel depends on:
ii  libc6   2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex

-- no debconf information
--- zaptel-1.0.7/debian/patches/Makefile.dpatch 2005-04-22 07:26:26.0 
+1200
+++ zaptel-1.0.7-mine/debian/patches/Makefile.dpatch2005-04-22 
07:25:02.0 +1200
@@ -27,7 +27,7 @@
  CFLAGS+=-I. -O4 -g -Wall -DBUILDING_TONEZONE #-DTONEZONE_DRIVER
 -CFLAGS+=$(shell if uname -m | grep -q ppc; then echo -fsigned-char; fi)
 -CFLAGS+=$(shell if uname -m | grep -q x86_64; then echo -m64; fi)
-+CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc\|powerpc\|arm\|s390; then 
echo -fsigned-char; fi)
++CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc\|powerpc\|arm\|s390; then 
echo -fsigned-char; fi)
 +CFLAGS+=$(shell if echo $(UNAME_M) | grep -q x86_64; then echo -m64; fi)
  LCFLAGS=-fPIC $(CFLAGS) -DBUILDING_TONEZONE
 -KFLAGS+=-I/usr/src/linux-2.4/include -O6

Bug#302847: zaptel command ztcfg freezes on Debian PowerPC causing boot failure.

[Matthew Grant]

Package: zaptel
Version: 1:1.0.7-1
Severity: critical
Tags: patch
Justification: breaks the whole system

When ztcfg executes due to zaptel module load during hotplug initialisation,
ztcfg does not exit causing boot process to stop.  Ctrl-C on console
will not recover condition. Machine must be power cycled.

This is specific to Debian PPC architecture.

Problem due to missing -fsigned-char to gcc when binaries are compiled.  This
is due to a typo in the grep executed in the Debian patch to the zaptel 
Makefile.

Patch is included. 

Matthew Grant
  

--- zaptel-1.0.7/debian/patches/Makefile.dpatch 2005-04-03 22:13:06.0 
+1200
+++ zaptel-1.0.7/debian/patches/Makefile.dpatch.orig2005-04-03 
22:13:24.0 +1200
@@ -27,7 +27,7 @@
  CFLAGS+=-I. -O4 -g -Wall -DBUILDING_TONEZONE #-DTONEZONE_DRIVER
 -CFLAGS+=$(shell if uname -m | grep -q ppc; then echo -fsigned-char; fi)
 -CFLAGS+=$(shell if uname -m | grep -q x86_64; then echo -m64; fi)
-+CFLAGS+=$(shell if echo $(UNAME_M) | egrep -q ppc|powerpc; then echo 
-fsigned-char; fi)
++CFLAGS+=$(shell if echo $(UNAME_M) | grep -q ppc; then echo -fsigned-char; 
fi)
 +CFLAGS+=$(shell if echo $(UNAME_M) | grep -q x86_64; then echo -m64; fi)
  LCFLAGS=-fPIC $(CFLAGS) -DBUILDING_TONEZONE
 -KFLAGS+=-I/usr/src/linux-2.4/include -O6

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.11-pmac-2.6
Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1)

Versions of packages zaptel depends on:
ii  libc6   2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libnewt0.51 0.51.6-20Not Erik's Windowing Toolkit - tex

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#296209: gnome-icon-theme: New postint script - gtk-update-icon-cache problems, results in 'blank' icons!

[Matthew Grant]

Package: gnome-icon-theme
Version: 2.8.0-2
Severity: grave
Justification: renders package unusable


Upgrading from 2.8.0-1 results in all the icons in Nautilus turning to the
default 'blank page' icon, most of the icons in Evolution for email and folders
turn into red X crosses, and the show desktop icon in the panel going to a red
X cross as well.

Going back to the 2.8.0-1 version of the packkage fixed the problem for me.

Please fix this!  This bug is a major usability issues as it is not easy to 
tell if an email has an attachment, or whether a file is a directory or data!

Very off-putting to any Gnome user.

Is this a Powerpc only problem?  I don't think it is though

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.10-pmac-2.6
Locale: LANG=en_NZ, LC_CTYPE=en_NZ (charmap=ISO-8859-1)

Versions of packages gnome-icon-theme depends on:
ii  hicolor-icon-theme0.7-1  default fallback theme for FreeDes

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]